Filter
Top Products
5-20
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later)
Configuring Twice NAT
a. For the Match Criteria: Original Packet > Source Address, click the browse button and choose an
existing network object or group or create a new object or group from the Browse Original Source
Address dialog box. The group cannot contain both IPv4 and IPv6 addresses; it must contain one
type only. The default is any, but do not use this option except for identity NAT. See the
“Configuring Identity NAT” section on page 5-24 for more information.
b. (Optional) For the Match Criteria: Original Packet > Destination Address, click the browse button
and choose an existing network object or group or create a new object or group from the Browse
Original Destination Address dialog box.
Although the main feature of twice NAT is the inclusion of the destination IP address, the destination
address is optional. If you do specify the destination address, you can configure static translation for
that address or just use identity NAT for it. You might want to configure twice NAT without a
destination address to take advantage of some of the other qualities of twice NAT, including the use
of network object groups for real addresses, or manually ordering of rules. For more information,
see the “Main Differences Between Network Object NAT and Twice NAT” section on page 3-15.
Step 4 (Optional) Identify the original packet source or destination port (the real source port or the mapped
destination port). For the Match Criteria: Original Packet > Service, click the browse button and choose
an existing TCP or UDP service object or create a new object from the Browse Original Service dialog
box.
A service object can contain both a source and destination port. You should specify either the source or
the destination port for both the real and mapped service objects. You should only specify both the source
and destination ports if your application uses a fixed source port (such as some DNS servers); but fixed
source ports are rare. In the rare case where you specify both the source and destination ports in the
object, the original packet service object contains the real source port/mapped destination port; the
translated packet service object contains the mapped source port/real destination port. NAT only
supports TCP or UDP. When translating a port, be sure the protocols in the real and mapped service
objects are identical (both TCP or both UDP). For identity NAT, you can use the same service object for
both the real and mapped ports. The “not equal” (!=) operator is not supported.
Real: 192.168.1.1
Mapped: 10.1.1.1
Real: 10.1.2.2
Mapped: 192.168.2.2
NAT
Source Destination
Outside
Inside
10.1.2.2 ---> 10.1.1.1 192.168.2.2 ---> 192.168.1.1
Original Packet Translated Packet